0

Problem Statement

I have a requirement for Business continuity plan using AWS Cloud VPC with following requirements -

  1. In our developer's AWS VPC private Subnet, we will have Workspaces (ie AWS secure Desktop-as-a-Service) for each developer
  2. From these workspaces, each developer can connect to different remote Cloud using VPN i.e. Public Clouds GCP/AWS/Azure or even on-premise datacenters. These different remote datacenters or Public Cloud may have overlapping IP address ranges and we have no control over these IP range management.
  3. Developer can easily switch and connect between different clouds from the workspace using VPN

AWS native services/features do not help directly

Site2Site VPN - To cater to these requirements, AWS site-to-site VPN Transit networking is out of scope because it does not allow overlapping IP ranges.
Going an indirect way to solve overlapping IP address ranges, there is a redundant site-to-site VPN plan in AWS documentations, but it is for failover scenario and I need all remote clouds could be connected any time ie are always active.

Transit Gateway - AWS Transit Gateway does not help because it ideally does not allow overlapping IP ranges multicloud networks.
There is a way to do route segmentation, i.e separation of routing path for separate combination of interconnecting Clouds, using multiple route tables in the Transit Gateway, but this approach requires such segmentation using Transit Gateway attachment, and AWS VPC cant have more than one attachment.
Also, even if we do something like that, may be using software VPN on EC2 instances(not sure if possible), I am not sure if we can easily connect from each workspace and switch to all different clouds because developer's AWS VPC subnet route table can't have overlapping IP ranges in the Destination.


My Approach for a Solution

My Network Plan
In the same subnet, I was thinking of using Software based IPSec VPN approach i.e. in one instance on the EC2 will have VPN service like strongswan and Iptable rules for SNAT. This approach is inspired from AWS Support Answer on Configure NAT for VPN Traffic.
For each cloud/datacenter, there will be an EC2 instance setup with Software IPSec VPN and IPtable rules.
On the remote side also, there will be a Gateway for the VPN just like AWS VGW and Customer Gateway pairing.
For traffic to go from Workspace to right remote cloud using VPN, I have to make entry in the route table of the subnet with Destination as IP address range of the remote Cloud and Target as the eni id of the VPN EC2 instance.
Problem with this approach is, again, that for remote clouds with overlapping IP addresses, I can't have entry in the developer's AWS VPC subnet route table.

To solve this problem, I was thinking of doing something like IP range manipulation in which I will have completely made up or unreal IP ranges for each overlapping remote cloud, i.e. for a cloud with real IP range as 192.168.x.y/16, the unreal will be 10.10.p.q/16.
After that, I will have separate EC2 VPN server for each of these remote clouds. Then for the route for any of the remote cloud, entry in route table will be 10.10.p.q/16 as destination and eni id of the EC2 VPN server as target.
On the EC2 VPN server, we will have Iptable rules setup, which will do something like PREROUTING DNAT and POSTROUTING SNAT for IP only forwarding as shown in this stackoverflow Q/A.
The developer on workspaces will have to know mapping between between unreal and real IPs and send traffic using unreal IP. The EC2 VPN server Iptables rules will have to be updated using custom scripts for this mapping to be kept updated with latest mapping.

I am not sure of correctness or effectiveness of my above approach.

Another problem by implication of my above approach
It also creates doubt that even if I connect to instances with specific IPs in remote cloud but what about accessing the another cloud services like Serverless functions or apis or managed/abstract services like DBs/LBs.
Though this can be done by sending traffic using IGW in developer's VPC or connecting to a bastion host in the remote cloud.


Other approach, which I searched on internet is setting a custom multicloud overlay network which seems daunting or rocket science.
I am also not sure if opensource VPNs like OpenVPN or pfsense like firewall/networking software can help with some of their native features to solve my original problem.

I have gained all my Networking or VPN knowledge while working on AWS Cloud only and I am not well versed into depth of networking in general in computer science.

Please help with these problems.

Prats
  • 1
  • 1
  • You could simply put a bastion host in a public subnet of each network you need to connect to, and not network any of it together. If you want to link it all together you probably need to remove overlapping CIDR ranges. – Tim Aug 15 '20 at 09:15
  • @Tim Thank you for your reply. Other needs too are going to come there, I think, so I need to learn about how this networking could be achieved. Also, It would be difficult to change the IP ranges of the remote centers. – Prats Aug 15 '20 at 15:51
  • Would it not be possible with other mechanisms like central VPN server in the VPC with multiple network interfaces in different subnets, then routing traffic to overlapping IP range remote centers at separate network interfaces? I am not sure if this makes sense, if not, any other approach suggested here would be helpful. – Prats Aug 15 '20 at 15:53
  • I think if you wanted more people to help you should edit your question to be in three sections. First section should be the problem or requirements. Second section should be current state. Third section should be your ideas. That would make it easier to understand, to read, and I think you'd get more help. – Tim Aug 15 '20 at 21:03
  • Thanks @Tim, I have reformatted to give my best in asking here. – Prats Aug 16 '20 at 11:51

0 Answers0